The NUG would like to propose replacing care.data with a system based on the original principles and design of the General Practice Extraction Service (GPES) and Pseudonymisation at Source (PAS).
Introduction
At the parliamentary select committee hearing on 25 February 2014 the witnesses were asked what they would like to see happen in the 6-month pause to care.data. The EMIS National User Group (NUG) felt that, as representatives of the users of the most widely used GP clinical system which is used in 55% of UK general practices, we should be putting forward a positive proposal for how we feel the research community should be enabled to make use of the data in the GP record databases. The NUG supports the broad aims of the care.data project to generate patient benefit through research and effective service planning. The principle reason behind why care.data has been received with such anxiety is to do with patient identifiable data being taken from the GP surgery. The effect of this is to cause (a) patients significant concern that there information shared in confidence with their GP will be in the hands of someone they did not choose to share that with and (b) concerns among GPs that they will not be able to exercise their role as data controller for all their patients. This being the case there are solutions that will allow data to be extracted from the GP surgery and keep both patients and GPs happy. There are two options available (1); with an explicit public information campaign, patients could be asked to opt in to the extraction rather than opt out as at present or (2) the information could be pseudonymised prior to extraction from the GP surgery or a combination of both. For the project to be really meaningful then it is important to have as large a data set as is possible hence the NUG supports second option i.e. the pseudonymisation route. The NUG would like to propose replacing care.data with a system based on the original principles and design of the General Practice Extraction Service (GPES) and Pseudonymisation at Source (PAS).
GPES. (http://www.hscic.gov.uk/gpes)
“The General Practice Extraction Service (GPES) is a centrally managed service that extracts information from general practice IT clinical systems for a wide range of purposes.” Commissioned at a cost of up to £40m by the Department for Health, GPES was planned as the single route for extracting data from GP clinical systems. Run by the Health and Social Care Information Centre (HSCIC) with clear governance principles arrived at through a process of consultation with professional and patient groups (http://www.hscic.gov.uk/media/1532/GPES-Information-Governance-Principle...). GPES provides a mechanism for any HSCIC customer to request a specific data set to be derived from the GP record. This dataset (at present) could be either aggregate or identifiable. Mechanisms are built into the system for GP practices to manage the consent for these extractions based on a detailed description on a case-by-case basis.
Pseudonymisation at source
Pseudonymisation is a process by which the patient identifiers are removed from a record and replaced by a string of characters. The resulting string has no real world meaning. This string is generated using a unique key, if the same key is applied it will result in an identical string, enabling lines of data to be matched. If however a different key is used the string will differ, and so the data will not be matched. By this means a project can match data across provider databases (e.g.GP and HES), but someone obtaining data from two separate projects would not be able to connect the data across the project databases.
This Pseudonymisation process can be applied in the originating system before the data is extracted, Pseudonymisation at Source (PAS). This means that data carrying patient identifiers never leaves the clinical system.
This process is already in use by several major research projects linking large-scale GP, Hospital Episode Statistics (HES) and Office of National Statistics (ONS) data successfully including historical data over the last 20 years. By combining it with simple techniques (such as rounding dates of birth to year of birth, and stripping off other identifiers and free text) and suitable governance controls at the HSCIC, it is possible to render a dataset de-identified before it leaves the source system. As the de-identified data would then not be personal data under the Data Protection Act this affects the likely application of the Act to the data which is being disclosed.
Proposal
The EMIS National User Group propose that PAS be included in the GPES process and that this is the route by which any customer obtains the information required for legitimate research and service planning. By including pseudonymisation-at-source technology within the GPES system, and making GPES a standard route to access the GP record for any new data extractions requiring access to GP records for research or service planning (including those requiring external data linkage), it makes best use of existing well established technology as well as clear agreed principles and governance processes. By generating project specific identifiers, it also reduces the risks of re-identification by inference by making sure that each dataset is the minimum required and that data cannot be linked across projects. If a researcher felt that such a linkage would be beneficial that would be a new project, to be assessed and go through the governance approval in its own right.
By ensuring that all system suppliers support PAS this can also be the standard for any authorised extractions from practice systems by other means than GPES, for example local commissioning datasets.
Project approval and key management
With this proposal projects would be submitted to the existing approval body the GPES Independent Advisory Group (IAG) http://www.hscic.gov.uk/gpesiag.
The process for managing the pseudonymisation keys is central to this proposal. The keys must be managed and held by a trusted independent third party such that the data recipient cannot re-identify patients. There are currently a number of PAS systems available, both Open Source and commercial by whom this could be managed. The two largest GP system suppliers (EMIS and TPP) who between them cover 80% of GP practices have already integrated PAS technology and have indicated it could be applied to care.data subject to large scale testing (http://www.yorkshirepost.co.uk/business/business-news/delays-to-nhs-proj...).
Use of Health and Social Care Act powers
The Health and Social Care Act 2012 (HSCA) gave the Secretary of State or NHS England the right to require the provision of identifiable data from any NHS provider to be delivered via HSCIC. It is not clear what Parliament had in mind when conferring these powers, but there does not at present appear to be any independent oversight or approval process. The mandating of the wholesale extraction of patient identifiable data in a way that bypasses the carefully constructed HSCIC IG documented above appears to the National User Group to be an abuse of this power. The proposed solution is also more compliant with NHS England’s own privacy impact assessment (http://www.england.nhs.uk/wp-content/uploads/2014/01/pia-care-data.pdf) in which they pledge to use minimum identifiable data for the purpose.
The NUG would like to see these new powers conferred by the Health & Social Care Act, overseen by an authoritative independent governance board in a similar manner to existing s251 powers, preferably on a statutory basis These should be seen as powers only to be used in exceptional circumstances, for example where a project of critical importance has been unable to obtain adequate data via an opt-in approach and where there is no practical alternative. In such a situation the case would be put to a body, representative of professionals and patients to review the need and recommend approval where appropriate.
Benefits of approach
By using existing software systems with established strong governance principles and procedures there can be clear information given to inform the public in making consent decisions. This process also removes the expense and risk inherent in holding a large single central database. It also maximises the use of the original design of the GPES system which was commissioned to deliver a solution based on the original principles.
Additionally by ensuring that all steps to disclosure have independent oversight it significantly reduces the risk of abuse, either well intentioned or malicious. This helps better protect patient confidentiality which is the cornerstone of the doctor-patient relationship and essential for the safe and effective delivery of healthcare.
Saturday 1 March 2014
Dr Geoff Schrecker on behalf of the EMIS National User Group gschrecker@emisnug.org